nanog mailing list archives
RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)
From: Donald Stahl <don () calis blacksun org>
Date: Mon, 4 Jun 2007 17:45:42 -0400 (EDT)
You're argument is equally ridiculous because in order to work the NAT box has to do stateful inspection anyway!Sorry, Owen, but your argument is ridiculous. The original statement was "[t]here's no security gain from not having real IPs on machines". If someone said, "there's no security gain from locking your doors", would you refute it by arguing that there's no security gain from locking your doors that you don't get from posting armed guards round the clock?
A better statement would be:"there's no security gain from locking your doors" (NAT), if you have already posted "armed guards round the clock" (Stateful Inspection)
NAT provides protection in the case where you have a stateful inspection firewall that fails open- something that no serious firewall I have ever seen does. If they aren't doing stateful inspection- then they aren't routing at all (or certainly shouldn't be).
-Don
Current thread:
- Re: Security gain from NAT, (continued)
- Re: Security gain from NAT Sam Stickland (Jun 04)
- RE: Security gain from NAT Howard C. Berkowitz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Colm MacCarthaigh (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT Jason Lewis (Jun 04)
- Re: Security gain from NAT Daniel Senie (Jun 04)
- Re: Security gain from NAT Steven M. Bellovin (Jun 05)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Owen DeLong (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Matthew Palmer (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) David Schwartz (Jun 05)
- Re: Security gain from NAT Jeff McAdams (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 05)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Nicholas Suan (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Donald Stahl (Jun 04)
- RE: Security gain from NAT (was: Re: Cool IPv6 Stuff) Edward B. DREGER (Jun 04)
- Re: Security gain from NAT (was: Re: Cool IPv6 Stuff) Perry Lorier (Jun 05)